Best alternative addons to AIProtection on AX86U?

blade12

Occasional Visitor
I set up my new AX86U & w/ Merlin firmware, and I'm withdrawing from the TrendMicro agreement due to not knowing exactly what information they collect. I eventually plan on connecting the AX86u to VPN, but that's a bit down the road when Wireguard becomes standard in future stable firmware. I don't use QoS currently. I have not used adaptive QoS in years so I don't know if I will. I don't track web traffic or web boost or game boost, etc etc etc so I reckon I can just withdraw from the Trend micro agreement.

If you deactivate AIProtection, is Diversion/Skynet the best option to replace the benefits of it? Is there any other addon you would recommend worth running in lieu of Trend micro? I also changed the DNS server to Cloudflare (1.1.1.2 / 1.0.0.1).

Thanks!
 

torstein

Regular Contributor
Malware/Threats protections
Instead of Cloudflare, I can recommend NextDNS cli. It runs on merlin, and allows for several ways of blocking malware, ads, trackers, parental controls, intelligent threat feeds against malware sites, it encrypts your DNS with DoH etc etc. You can even choose from a wide range of tracker/ad block lists such as OISD, EasyList, 1Host, AdGuard, Fanboy etc etc. All of this happens in the cloud, and leaves your AX86U's processor to other important things, rather than resource heavy ad blocking, and NextDNS has apps too, so you get its protections with you when you're away from home.

Firewall
I use Skynet myself, but only for the community-malware-list protections. I leave everything else on default. It has mostly just scared me shirtless due to all the reporting in the logs of blocked incoming and outgoing connections, so if you don't mind hunting down suspicious IP-addresses down a rabbit hole, chasing ghosts and know what to trust and what not to, then I can recommend it.

VPN
Why not just use the true and tested OpenVPN protocol while you're waiting for Wireguard? It can take several more months, maybe even the whole year before it's ready and stable enough to be used en masse. Setting OpenVPN up is so easy too (ASUS guide)
 

bbunge

Part of the Furniture
Quad9 or Cloudflare Secure (1.1.1.2 1.0.0.2 with TLS Hostname security.cloudflare-dns.com) are the best out there without a hassle. Use DoT. Leave AiProtect enabled as it will catch the odd threat and there is nothing to fear from Trend Micro. Use Skynet and Diversion if you want to use them but I feel they do not add much protection for the hassle. You have an Asus router which is one of the best SOHO appliances out there. Also, Asus factory firmware is very good!
 

torstein

Regular Contributor
What are the benefits of Quad9 and Cloudflare over NextDNS? Why do you recommend those instead? Here's what I can come up with pros and cons. I'd like to learn more about them. I realise i'm biased due to using and paying for NextDNS, but I tried the others, and this is my pros and cons list based on a limited knkowledge and research done by me before choosing NextDNS a couple years ago:

Quad9:
+ Independent and trusted by security specialists
+ NPO
+ Free
+ DNSSEC
+ Kinda fast, at 32ms latency
+ Blocks malware from many sources and malicious domains
+ DoH and DoT
+ Email support
- No ad or tracker filtering
- No parental controls or other restrictive features
- no control over lists or security features
- No control panel to configure things such as profiles or filtering
- No Whitelisting capabilities, if something breaks, you have to disable quad9

Cloudflare 1.1.1.1 / 1.1.1.2 / 1.1.1.3
+ Fastest of all, 10ms latency on average
+ Free
+ DNSSEC
+ DoH and DoT
+ Malware protection (but only 1.1.1.2 and 1.1.1.3)
+ Blocks adult content (only 1.1.1.3)
+ Can disable logs altogether, if not they're kept for max 24hrs
+ Email support
- No ad or tracker filtering
- No parental controls or other restrictive features
- no control over lists or security features
- No Whitelisting capabilities, if something breaks, you have to disable 1.1.1.1
- No control panel to configure things such as profiles or filtering

NextDNS
+ Quite fast, 20ms (7ms where I live)
+ DoH and DoT
+ DNSSEC
+ Create infinite profiles for familiy members, or devices or whatever
+ Full control over block lists
+ Whitelisting and blacklisting
+ Full control over Parental control and Recreation time
+ Native tracking protections against macOS, Windows, Xiaomi, Samsung, Amazon etc
+ Block DNS-bypass methods such as proxies and VPNs
+ Block disguised third party trackers
+ Block by category such as Tik Tok, Instagram, Facebook, Fortnite etc etc
+ Cryptojacking protection, DNS rebinding protection, IDN Homograph protection
+ Logging in US, EU or Switzerland or NO logging at all if you choose
+ 2FA for logging in
+ Can be installed on any device even routers
+ Works with iCloud Private Relay
- 300,000 queries free per month, after that 1,99$
- No official support, just community support


I think if you just want to set it and forget it, it doesn't matter which one as long as you choose any of them (except 1.1.1.1). If you want something that can be easily setup, set and forgotten, but also have the option to be super configurable and block anything, including ads, then NextDNS.
 
Last edited:
  • Like
Reactions: fsb

blade12

Occasional Visitor
Malware/Threats protections
Instead of Cloudflare, I can recommend NextDNS cli. It runs on merlin, and allows for several ways of blocking malware, ads, trackers, parental controls, intelligent threat feeds against malware sites, it encrypts your DNS with DoH etc etc. You can even choose from a wide range of tracker/ad block lists such as OISD, EasyList, 1Host, AdGuard, Fanboy etc etc. All of this happens in the cloud, and leaves your AX86U's processor to other important things, rather than resource heavy ad blocking, and NextDNS has apps too, so you get its protections with you when you're away from home.

Firewall
I use Skynet myself, but only for the community-malware-list protections. I leave everything else on default. It has mostly just scared me shirtless due to all the reporting in the logs of blocked incoming and outgoing connections, so if you don't mind hunting down suspicious IP-addresses down a rabbit hole, chasing ghosts and know what to trust and what not to, then I can recommend it.

VPN
Why not just use the true and tested OpenVPN protocol while you're waiting for Wireguard? It can take several more months, maybe even the whole year before it's ready and stable enough to be used en masse. Setting OpenVPN up is so easy too (ASUS guide)
I will look into NextDNS. I do see it costs money ($2/mo) though over 300k searches. I don't know how many searches are done in my household each month. Do you know what happens after it reaches 300k and I don't pay? Does it revert to some other dns?

I will install skynet tonight when I get the chance. Does it have a regularly updated community list? I'm not a huge fan of having to tinker around with settings, lists, etc so it would be great if I can just set it and forget.

VPN I know how to setup. Not sure what sort of speeds I will get with Openvpn on ax86u, but I will test it in the coming days. I see wireguard has been in asus beta testing for 4-5 months now, and I think it has gone through a few iterations already. There does not seem to be any major bugs. That's a good sign for the months to come.



If I do decide to use a VPN like mullvad then dns doesn't matter, right? Vpn will use its own encrypted dns. In that case, it probably makes no sense paying monthly for NextDNS.
 

torstein

Regular Contributor
I will look into NextDNS. I do see it costs money ($2/mo) though over 300k searches. I don't know how many searches are done in my household each month. Do you know what happens after it reaches 300k and I don't pay? Does it revert to some other dns?

I will install skynet tonight when I get the chance. Does it have a regularly updated community list? I'm not a huge fan of having to tinker around with settings, lists, etc so it would be great if I can just set it and forget.

VPN I know how to setup. Not sure what sort of speeds I will get with Openvpn on ax86u, but I will test it in the coming days. I see wireguard has been in asus beta testing for 4-5 months now, and I think it has gone through a few iterations already. There does not seem to be any major bugs. That's a good sign for the months to come.



If I do decide to use a VPN like mullvad then dns doesn't matter, right? Vpn will use its own encrypted dns. In that case, it probably makes no sense paying monthly for NextDNS.
1) it disables all filtering and security and reverts to being a regular dns that resolves domains, nothing more nothing less. me and my spouse averaged 200,000 -280,000. More often closer to 200k than 300k. decided to pay for a quality DNS and keep it alive. 2$/month is nothing for such s great service.

2) if you want set it and forget it you should stay away from diversion and skynet. skynets malware lists updates daily i believe, but you need to understand skynet and know what youre doing and what the logs mean. people here love skynet, but for me it’s a borderline headache. im constantly chasing ghosts because skynet reports false positives in outbound blocks having me believe my macs are infected with malware phoning home. it’s stressful. skynet even once blocked quad9 dns due to some person putting 9.9.9.9 in the community malware list skynet subscribes to.

3) Rmerlin isnt working on his next release for some weeks he announced, and the asus guys arent even done with a stable wireguard release yet. realistically wireguard via merlin-wrt is several months away.

4) OpenVPN on AX86U will give you 200-250mbps up and down.

5) with mullvad you can set custom dns servers to get all of nextdns features eith mullvad vpn. mullvads own dns is mediocre with some basic ad and tracker blocking. are you planning on running mullvad fulltime?
 
Last edited:

Morris

Very Senior Member
As you are afraid someone might see you, here is a super enterprise firewall available free for home use.

 

blade12

Occasional Visitor
1) it disables all filtering and security and reverts to being a regular dns that resolves domains, nothing more nothing less. me and my spouse averaged 200,000 -280,000. More often closer to 200k than 300k. decided to pay for a quality DNS and keep it alive. 2$/month is nothing for such s great service.

2) if you want set it and forget it you should stay away from diversion and skynet. skynets malware lists updates daily i believe, but you need to understand skynet and know what youre doing and what the logs mean. people here love skynet, but for me it’s a borderline headache. im constantly chasing ghosts because skynet reports false positives in outbound blocks having me believe my macs are infected with malware phoning home. it’s stressful. skynet even once blocked quad9 dns due to some person putting 9.9.9.9 in the community malware list skynet subscribes to.

3) Rmerlin isnt working on his next release for some weeks he announced, and the asus guys arent even done with a stable wireguard release yet. realistically wireguard via merlin-wrt is several months away.

4) OpenVPN on AX86U will give you 200-250mbps up and down.

5) with mullvad you can set custom dns servers to get all of nextdns features eith mullvad vpn. mullvads own dns is mediocre with some basic ad and tracker blocking. are you planning on running mullvad fulltime?

2) That could be problematic if it has false positives. I'm not a huge fan of going hunting why something got blocked. For others reading this - is this something you also experienced in your usage with Skynet? I would be curious if it's a common issue.

4) Yeah, I can probably max out my net with openvpn. Will get to it later. Before I get to that, I'm hoping to get AIProtection replacement going. You now got me wondering if Skynet is worth it.

5) Well, I can change to another VPN provider. Doesn't have to be mullvad, but I usually look for quality no-log companies with audits. I'm planning on having VPN on regular ssid and guest network to run with no VPN. Some servers are very good at picking up VPNs like banks so the quickest solution would be to change networks to that when checking bank then change network back to the primary VPN-protected one.
 

blade12

Occasional Visitor
i feel comfortable with the diversion/unbound/skynet trio.
After some searching, Unbound seems to do the same thing as DNS providers but on the router. Is it a hassle to setup? Does it use a lot of router processing power?

I'm probably going to install diversion. What level of ad blocking do you use, and do you find that it occasionally blocks certain websites?
 

ugandy

Very Senior Member
After some searching, Unbound seems to do the same thing as DNS providers but on the router. Is it a hassle to setup? Does it use a lot of router processing power?

I'm probably going to install diversion. What level of ad blocking do you use, and do you find that it occasionally blocks certain websites?
unbound is easy to setup via amtm. but it's really more about privacy from your ISP (specially if routed via vpn). you still need diversion/skynet to avoid malware/ads/bad places, etc,
not sure how the lists in skynet/diversion compare to a dns provider like nextDNS.
AIprotection/suricata never caught anything interesting for me.
diversion/skynet give me a fairly safe filter for home (i use diversion's large list). i can even add additional filters that cater for kids safe browsing. and it is easy to setup/install via amtm.
for the most part it is enough
 

JGrana

Very Senior Member
3) Rmerlin isnt working on his next release for some weeks he announced, and the asus guys arent even done with a stable wireguard release yet. realistically wireguard via merlin-wrt is several months away.
If you are interested in Wireguard, I have been running a Wireguard site-to-site configuration between an AX88U and AX86U using the tools provided in 386.4. So for, running well. As @Martineau has said, it’s almost 2-3X faster than OpenVPN.
Check out this thread:


It presently supports setting up WG server to peers. Works well!
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top